Mal/Behav-010 Virus

[MrTBC]

Hi Guys,
I have a virus that is proving difficult to remove.

When booting the machine up Sophos displays message after message informing me that c:\windows\system32\_c008DCF3.dat belongs to virus/spyware Mal/Behav-010.

Firstly I ran a scan of the c: drive with Sophos set to automatically clean-up viruses. The scan would pick up several Temporary Internet files infected with Mal/Behav-010 and then eventually reach a point in c:\windows\system32 where it would blue screen and display this error:

STOP: C000021A (Fatal System Error) The Windows Logon Process system process terminated unexpectedly

This happened several times.

Some files would be Quarantined but Sophos would say that the virus was only partially detected and it couldn't be cleaned up until I ran a full system scan.

I managed to get a full system scan to run by setting Sophos to Quarantine rather than clean-up infected files.

Sophos now said that Mal/Behav-010 was fully detected and gave me a clean-up option.

But, guess what - selecting clean-up gives me the good old BSOD and when I reboot the virus is again showing as only partially detected.

Any ideas please?!?!?!?!?!

Thank you.

 

[electronicsfreak]

Restart your computer and load in safe mode. To get in safe mode, soon as your computer restarts start pressing F8 over and over till you reach a screen with options. Choose start windows in safe mode and then run the scans there.

Post back with the results

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[MrTBC]

Thanks, I've done this from the command line (using Safe Mode With Command Prompt) following Sophos' instructions. Sophos removed 20 items including Mal/Behav-010 and a bunch of Trojans.

If I restart into Safe Mode With Command Prompt and rerun Sophos then everything is clear.

But when I restart to Windows and run Sophos from the OS then I'm back to square one and Mal/Behav-010 is once again partially detected and causes a BSOD on clean-up...

 

[MrTBC]

One more thing, I think the infected files that are still present may be in the System Restore data. Should I disable System Restore?

 

[2ffat]

Sophos used to be able to create a boot CD with their latest AV signatures. You could boot the PC from the CD which would then run the AV program. I don't know if they still have that option, though.


James P. Cottingham
-----------------------------------------
^{I'm number 1,229!
I'm number 1,229!}

 

[electronicsfreak]

Yeah disable system restore and then enable it when the virus is gone. Also might be worth looking in the registry to see what files are being associated with this trojan/virus.

Also this registry cleaner might help with things.

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10750305.html?tag=lst-1

Another thing that might help is a post from Linney from the xp forum. Below is his post, follow it and it should replace the corrupted files back with the originals. You will need your system cd I think.

1. Boot to Recovery Console.

2 . type the following commands
cd system32 [enter]

ren winlogon.exe winlogon.old
ren msgina.dll msgina.old
ren shell32.dll shell32.old
ren shlwapi.dll shlwapi.old

cd.. [enter]
cd servicepackfiles\i386 [enter]
copy MSGINA.DLL c:\windows\system32
copy SHELL32.DLL c:\windows\system32
copy WINLOGON.EXE c:\windows\system32
copy shlwapi.dll c:\windows\system32

if not there, expand from the cd

3 Type EXIT and hit enter

End quote...from a Patrick on this link.

http://www.techimo.com/forum/t76550.html

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon